Skip to main content

tv   Key Capitol Hill Hearings  CSPAN  July 16, 2014 11:00pm-1:01am EDT

11:00 pm
mentioned. we've really greatly built our expertise in understanding the insurance industry and its unique characteristics. we have explicitly when we came out with our 165 rules refrain from putting in effect capital rules that would apply to heavily insurance based companies in order to make sure that we thoroughly understand their unique characteristics. >> thank you chairman. >> the time has expired. last but not least another gentleman from pennsylvania. >> we want to thank chair yellen for the investment of time here. i think you've been very generous with your time which we all appreciate. the number one issue in my district back in buck, pennsylvania is jobs and the economy. there's been much said about what appears to be government
11:01 pm
rate of improving unemployment rate and what that says about our economy. you've talked about that both in your policy report and your written statement here today and your oral statement you said the unemployment rate has fallen nearly 1.5% rates over the past year. it stood at 6.1%. >> the gentleman will suspend. the clerk is having a little trouble hearing if you could speak closer to the microphone. >> much has been said about the unemployment rate fallen 4 points from the height. my concern is that these government numbers don't seem to distinguish between full time employment and part time employment. >> if the gentleman would suspend one more time. would you mind using the microphone adjacent to you and let's see if that corrects the problem? >> is that better? >> perhaps the microphone for mr. west mooreland might work.
11:02 pm
let's try this? >> okay. chairman in march you gave a speech about what the fed is doing to tackle the unemployment rate. you made this observation. this is a quote, the existence of such a large pool of partly unemployed workers is a sign that labor conditions are worse than indicated by the unemployment rate. that was the national inner agency reinvestment conference in chicago. >> uh-huh. >> it was back in march. do you believe that the unemployment rate is as currently reported by the bureau of labor statistics is an accurate snap shot of the labor market? >> well, it's one particular measure but it's obviously not complete. the bureau of labor statistics reported on the number of individuals who are part time employed and involuntarily so would like more work. that figure has been running
11:03 pm
about 5% of the labor force which is an unusually high level. the labor department computes some broader statistics pertaining to unemployment. one of them is called u 6. it's the standard civilian unemployment rate with those involuntary part time employees added in and also those who were discouraged or marjally marginally attached to the labor force. it's much higher. it's running around 12%. it has come down significantly along with the narrower measure of unemployment but clearly, what's called u 3 or the 6.1% unemployment rate is not a complete measure of what's happening in the labor market. that's why we have said the
11:04 pm
federal reserve, the foamc has said we are looking at a broad measure of indicators, including many indicators of the labor market to assess where it stands. >> because many, you know, here on the legislative side look at the unemployment rate, i guess it's the u3 which is 6.1% they look at that to make policy spending on programs and the like. what do you think is the better reflection of the true employment of the nation because my constituents are not buying the 6.1%. it doesn't feel right. they know it's not right. it's not april akn accurate ref of what's going on in the economy in real towns across america. >> that's why i believe you have to look at many measures of the labor market and there are obviously is more distress than is captured in that 6.1% number. the 12%, for example, or roughly
11:05 pm
u6 measure is capturing a broader change of distress but there are many metrics we can't judge something as complicated as the labor -- >> is there anything in particular that the bureau of labor statistics can do to create a more accurate picture of the economy? >> i think we shouldn't try to look for one single number to assess what's a complicated phenomenon. if i had to choose one and only one number to look at, i would choose the 6.1 u3 number but i don't think that's adequate. i think we should want a broad range of measurements of different aspects of the labor market and to keep them all in mind. >> i remain concerned by this, you know, these monthly reports that say the unemployment rate is coming down.
11:06 pm
not counting individuals who are part time and full time. not counting individuals who are not actively engaged in a search who have given up in a search. people are desperately looking for work are not reflected in the numbers in the government that is supposed to care about them. >> i agree. i mention mid only concern with some who are simply measured as out of the labor force who might rejoin and want work if it were available. >> chair, thanks for your service. appreciate it. >> thank you. >> the time for the gentleman has expired. i would like to thank clair yellen for her testimony today. with out objection, all members will have five legislative days to submit additional questions for the witness. without objection they will have five legislative days to submit extraneous measures for the chair for inclusion in the record. this hearing stands adjourned.
11:07 pm
>> members of the house rules committee on wednesday consider the proposed lawsuit brought by speaker john boehner against president obama over executive orders. you can see the entire hearing online at here is a little of what members heard from legal experts. this is not a question of what should be done. it is a question of how it should be done and more importantly who should do it. the president suggested he can go at it alone. there's no license in the madisonian system to go at it alo
11:08 pm
alone. he said he will resolve the division in congress by ordering things on his own terms as a majority of one. that's what makes it dangerous. for those who remain silent in the face of this. i will say what is obvious. this will not be our president. in a couple of years there will be someone else in the oval office. the arguments which are being made today can be used then to nullify environmental laws. i cannot speak as to what will happen in this late iingatiitig. i can speak to what should happen. in my view congress should have standing. that's the most important thing in this case is this body to enforce the rating to be heard in the judicial branch. the courts have removed themselves from this process. the result has been the dysfunctional politics that we see. i don't believe that the
11:09 pm
challenges in front of this lawsuit is an excuse to do nothing. we are and we will remain a divided country. when we're divided, fewer things get done. you have a choice in our system. you can compromise or you can change the make up of congress. you don't go at it alone. i believe the aca is a great example of the problem with this. this is probably the most important program in my generation in terms of size and impact. it happens to be something i support of national health care. it should be unencumbered by questions of the legitimacy. it should go forward with the courts defining the lines of separation. this body taking a stand is a welcome change. as much as i respect the president e the arguments he's making over presidential authority are extreme and they have defoid of principles that make up our system.
11:10 pm
that covenant of faith is that no matter what our divisions are we will remain faithful to the limits we imposed upon ourselves and our branches. it's that very covenant that this committee gives when we raise our hand. we've grown impatient with the constraints of the system. these arguments seem antiquated when we look at health care or immigration. it is always tempting when one person steps forward and says they can get the job done alone. that's the siren's call that the framers told us to resist. we remain a nation of laws. the place for those questions is the united states courts. that's where this authorization will take us. >> i think history here should be your guyed aide and what we
11:11 pm
here. recounting all the great battle between the president and congress throughout our history. he notes never did it seem appropriate for one to sue the other for how they were carrying out their functions. i think it's quite dramatic that the professor believes that he could bring suit if he thought the speaker of the house assumed the roll of commander in chief. the point here is not who was the better reading on this particular question of whether there's an implicit transition authority to smooth the transition to the new requirements. the critical fact that this is mere lay debate about the best way of construing legislation and the house has no legal interest in that. now, whatever the right answer. this may be an important matter in terms of extending health care to 25, or 30 million americans and making sure the business has time to comply with
11:12 pm
the new requirements that this business desired and as i believe this house overwhelmingly supports. that's what this transition is carrying out. whatever the right answer to that question, i think it's safe to say that never in our history has such a radical change in the role of the judicial branch been proposed to deal with such a routine question of administrative process. allowing this kind of suit by the congress every time it disagrees with how a president carried out the law would be a radical liberalization of the role that the judiciary has played and it is a transformation that this committee and the house should decline. >> 40 years ago the water gate scandal led to the only resignation of an american president. throughout this month american history tv revisits 1974 and the final weeks of the nixon administration. this weekend, opening statements from the house judiciary committee as members consider
11:13 pm
articles of impeachment against president nixon. >> it's the one act in which the entire country participates and the result is binding upon all of the states for four years. the outcome is accepted. the occupant of that office stands as a symbol of our national unit and commitment. so if the judgment of the people is to be reversed if the majority will is to be undone, if that symbol is to be replaced through the action of the elected representatives, then it must be for substantial and not trivial offenses supported by fact and not by surmise. >> sunday night at 8:00 eastern on american history t.v. on cspan 3. >> up next a hearing on the fbi's efforts to combat cyber crime. it's an hour and a half. appear
11:14 pm
senate judiciary subcommittee chaired by >> i call this hearing of the judiciary committee, subcommittee on terrorism to order. thank you evan for being here. i have the permission of my ranking member to do get under way. he will be joining us shortly. allowing for opening statements and so forth i think it's probably the best way owe do this to simply proceed and get under way. today's hearing is entitled taking down bot nets. public and private efforts to
11:15 pm
disrupt and dismantle cyber criminal networks. we will be hearing testimony about these bot nets and the threats that they pose to our economy, to our personal privacy and to our national security. a bot net is a simple thing. it's a network of computers connected over the internet that can be instructed to carry out specific tasks. the problem with bot nets is that typically the owners of those computers don't know that they are carrying out those tasks. bot nets have existed in various forms for well over a decade and they are now recognized as a weapon of choice for cyber criminals. it is easy to see why. a bot net can increase the computing resources at a hacker's disposal exponentially all while helping conceal the hacker's identity.
11:16 pm
a cyber criminal with access to a large bat net can command a virtual army of millions, most of whom have no idea that they have been conscripted. bat nets enable criminals to steal individuals personal and financial information, to plunder bank accounts, to commit identity theft on a massive scale. for years bot nets have sent most of the spam that we receive. the largest bot nets can capable of spending billions of spam messages everyday. they are also used to launch distributed denial of service or ddos attacks which can shut down web sites by simply overwhelming them with traffic. this is a constant threat to our businesses in every sector of the economy.
11:17 pm
the only limit to the malicious purposes for which bot nets can be used is the imagination of the criminal who controls them. when a hacker runs out of uses for a bot net, he can simply sell it to another criminal organization to use for an entirely new purpose. it presents a virtual infrastructure of crime. let's be clear. the threat from bot nets is not just a threat to our wallets. bot nets can effective weapons not merely for those who want to steal from us but also for those who wish to do us far more serious harm. experts have long feared that the next 9/11 may be a cyber attack. if that's the case, it is likely that a bot net will be involved. simply put, bot nets threaten
11:18 pm
the enteg rintegrity of our com networks, our personal privacy and our national security. in recent years, the government and the private sector have launched aggressive enforcement actions to disrupt and to disable individual bot nets. the techniques used to go after these bot nets have been as varied as the bot nets themselv themselves. many of these enforcement actions use the court system to obtain injunctions and restraining orders, utilizing innovative legal theories, combining modern statutory claims under statutes such as the computer fraud and abuse act with such an shent common law claims trespass to channels. in 2011, the government obtained for the first time a court order that allows it to seize control
11:19 pm
of a bot net using a substitute command and control server. as a result, the fbi launched a successful take down of the core flood bot net, fleeing 90% of the computers core flood had infected in the united states. microsoft working with law enforcement has obtained several civil restraining orders to disrupt and in some cases take down individual bot nets, including the citadel bot net which was responsible for stealing hundreds of millions of dollars. earlier this year, the justice department and the fbi, working with the private sector and law enforcement agencies around the world, obtained a restraining order allowing them to take over the game over zeus bot net.
11:20 pm
it was challenging because it relied on a infrastructure that was designed to thwart efforts to stop it. i look forward to learning more about these and other enforcement actions and the lessons that we should take away from them. we must recognize that enforcement actions are just one part of the answer so i'm interested in hearing also about how we can better inform computer users of the dangers of bot nets and what other hygiene steps we can take to address this threat. my hope is that this hearing starts a conversation among those dealing day to day with the bot net threat and those in congress who are deeply concerned about that threat. congress, of course, cannot and should not dictate tactics for fighting bot nets. that must be driven by the expertise of those on the front lines of the fight. congress does have an important role to make sure there's a solid legal foundation for
11:21 pm
enforcement actions against bot nets and clear standards governing when they can occur. we must also occur that bot net take downs and other actions are carried out in a way that protects consumers privacy all while recognizing that bot nets themselves represent one of the greatest privacy threats that computer users face today. they can actually hack into your computer and look at you through your web cam. we must take sure that our laws respond to a threat that is constantly evolving and encourage rather than stifle innovation to disrupt cyber criminal networks. i look forward to starting this conversation and to continue it in the months ahead. i thank my distinguished ranking member for being such a terrific colleague on these cyber issues. we hope that a good piece of
11:22 pm
cyber bot net legislation can emerge from our work together. i thank you all for participating in this hearing and for your supports to protect americans from this dangerous threat and before we hear from our witnesses, i will yield to my distinguished ranking member senator lindsey graham. >> thank you mr. chairman. i want to acknowledge your work on this issue in terms the threats we face in the criminal front and terrorist front. congress is having a difficult time organizing ourselves to combat both threats. to make sure this is not an academic exercise, i guess this was last year or a bit longer, the department of revenue in south carolina was hacked into by -- we don't know all the details but a criminal enterprise that stole millions of social security numbers and information regarding company's
11:23 pm
charters and revenue. thus required by the state of south carolina to purchase protection. i think it was a $35 million per year allocation to protect those who had their social security numbers stolen we believe by a criminal ept prize. it happened in south carolina. it can happen to any company, business or organization. in america our laws are not where they should be so the purpose of this hearing is to gather information. hopefully come out and be a friend of law enforcement. senator whitehouse you deserve a lot of credit in my view about leading the effort in the united states senator if not the whole congress on this issue. thank you. >> i'm delighted now to welcome our administration witnesses. before we do, his timing is perfect. senator chris coons has joined us. the first witness is leslie
11:24 pm
caldwell. she's the head of the criminal division at the department of justice. she was confirmed on may 14th. 2014. she hassica dedicated most of h career on handling criminal cases. she served as a federal ausa in us attorney's offices in both new york and california. after her testimony, we will hear from joseph demaris who is the assistant director for the fbi's cyber division. joined as a special agent in 1988 and has held several liedership positions within the bureau serving as head and assistant director of the international operation's division and the assistant director of the new york division. he was appointed in 2012 to his current position and i have had
11:25 pm
the chance to work very closely with him and i appreciate, very much, the energy and determination that he has brought to this particular arena of combat against the criminal networks of the world and i look forward to his testimony. we will begin with assistant attorney general walledwell. >> thank you for the opportunity to discuss the justice's department against bot nets. i want to thank the chair for holding this hearing. the threat from bot nets defined in simple terms as networks of hijacked computers infected with software or malcare which was controlled by an individual or organized group for criminal purposes has increased dramatically over the past self years. they are using state-of-the-art
11:26 pm
techniques to take control of thousands or even hundreds of thousands of victim computers or bots. they can flood an internet site with junk data. they knock it off line by doing that. they can steal banking credentials, credit card numbers, other financial information. send fraudulent e-mail or even spy on unsuspecting computer users through their web cams. they are intended to undermine american's privacy and security and steal from unsuspecting victims. if left unchecked, they will succeed in doing so. they have become more sophisticated over recent years, the department of justice working through highly trained prosecutors at the computer crime and intellectual property division. at the national security division at the justice department u u.s. attorneys offices across the country and fbi and other law enforcement agencies have adapted and
11:27 pm
advanced our tactics to meet this threat. as one example, in may of this year, csips, the u.s. attorney for the western district of pennsylvania, and the fbi in partnership with other federal and private sector organizations, disrupted the game over zeus bot net and indicted a key member of that group that operated that bot net. until it's disruption, it was regarded as the most sophisticated bot world wide. it infected between 500,000 and one million computer and caused more than $100 million in financial loss. put simply, the bot master stole personal informations from victim computers and with the click of a mouse, used that stolen information to empty the batchi bank accounts and rob small businesses, hospitals, and other victims from transferring funds from the victim's accounts to
11:28 pm
the criminal accounts. and also installed another malware known as random wear that was installed on infected computers and enabled them to encrypt key files on the infected computers and charged them a random for the release of their files. crypt oe locker infected more than 260,000 computers world wide. the department's operation against game over zeus began with a complex international investigation conducted in close partnership with the private sector. it continued through the department's use with a combination of court authorized civil and legal process to stop infected computers from communicating with one another. it ultimately permitted the team to not only identify and charge one of the leading perpetrators but also cripple the bot net and stop the random wear from functioning. it was able to identify victims and working with the department of home land security, foreign
11:29 pm
governments and private sector partners was able to facilitate the removal of malware from computers. as we informed the courts last week it remains inoperable and out of the criminal's hands. they are down 30% and crypt oe locker remains nonoperational. as the successful operation demonstrated we are employing tools that congress has given us to protect our citizens and businesses. we're leveraged our strengths by partnering with businesses all over the world and the private sector. if we want to remain effective our laws and resources must keep pace with the increasingly sophisticated ways of our adversaries. they are always adapting. i discussed several resource increases that will assist the department to counter these threats. these include an amendment to the computer fraud abuse act and
11:30 pm
several other proposals. we look very much forward to working with the committee to address these issues. we also need additional resources at the department to continue to disrupt bot nets, includi including hiring new attorneys in my state. thank you for my opportunity to discuss our work in this area and i look forward to answering any question you might have. >> thank you assistant attorney general caldwell. >> now director demaris. >> good afternoon whitehouse. thank you for holding this hearing. chairman whitehouse. i look forward to discussing the progress of the fbi that it has made on campaigns to disrupt and disable our significant bot nets that you know that we target. cyber criminal threats pose very real threats to the economic security and privacy of its citizens. the use is on the rise. industry experts estimate that
11:31 pm
bot net attacks have resulted in the overall loss of millions of dollars from financial institutions and other major businesses. they also effect, universities, hospitals, defense contractors, government, and even private citizens. the weapons of a cyber criminal are tools like bot nets which are created with malicious software that is readily available for purchase on the internet. criminals distribute this malicious software also known as malware that can turn a computer into a bot. when this occurs, a computer can perform automated tasks over the internet without any direction from the user. bot nets can be used for organized criminal activity, covert intelligence collection or even a tax on critical infrastructure. the impact of this global cyber threat has been significant. according to industry estimates, bot nets have caused over $9 billion to victims and over $10 billion in losses globally.
11:32 pm
approximately 500 million computers are effected each year. the fbi with its law enforcement partners and private sector partners, to include the panel of distinguished presenters today from microsoft, far sight, have had success in taking down a number of large bot nets but our work is never done. by combining the resources of government and private sector and with the support of the public, we will tip to improve cyber security by identifying and catching those who threaten it. due to the complicated nature of today's cyber threat, the fbi has developed a strategy to systemically identify those who are in support of the complex criminal schemes. the fbi has initiated an aggressive aproef to disrupt and
11:33 pm
dismantle most bot nets coined operation clean slate is spear headed by the fbi including partners like the dhs and private sector. it is a comprehensive public/private effort evani public/private effort to target bot nets and those coders responsible for creating them. international partners, major isbs, the u.s. financial sector and other stakeholders and del secure works being one of the -- operation clean shlate has thre objectives. to increase the actors cost of doing business, to seed uncertainty in the actors by causing concern about potential or actual law enforcement action
11:34 pm
against them. just a brief description about some of the successes of late. in december, 2012 the fbi disrupted an international organized crime ring related to butterfly bot net which stole credit card information, bank account and other personal identifiable information. the butterfly bot net comprised of more than 11 million computer sift edges and $850 million in losses. the fbi along with partners executed numerous search warrants and conducted interviews and arrested ten individuals from boz knne bossbd new zealand. in june, 2013, again, the formal debut of operation clean slate the team in coordination with microsoft and financial service leaders disrupted the sid s sid
11:35 pm
was responsible for the loss of over half a billion dollars. over a thousand domains were seized. building on that success of the disruption of sid adel in december of 2013, interpol in combination of microsoft and other industry partners disrupted zero access bot net which was responsible for infecting more than $2 million computers targeting search results on google, bing, yahoo and cost online advertisers $2.7 million each month. in april of 2014, the op clean slate team indicted nine members of the conspiracy that infected thousand of computers with
11:36 pm
malicious software known as zeus which is a malware that captured passwords, account numbers and other information necessary to og l log onto bank accounts. they stole millions of dollars from account holding victim's bank accounts. later, june, 2014, another operation by the clean slate team. now a multinational effort. the most sophisticated bot net the fbi and its allies had ever attempted to disrupt which was responsible for millions of dollars in losses for businesses and those all over the world. it involved cooperation with the private sector namely del secure works. it is an extremely sophisticated type of malware designed to steal banking and other
11:37 pm
credentials from computers it infects and use those credentials to initiate or direct wire transfers to accounts over seas controlled by the criminals. losses from it are supposed to be over $100 million. our focus is impacting the leaders of the criminal enterprises and terrorist organizations we pursue. we're focusing the same effort on the major cyber actors behind the bot nets. we remain focused on defending the united states against these threats and we welcome the opportunity to discuss our efforts. we are grateful for the support and yours in particular, senator whitehouse. we look forward to working closely with you as we work to disrupt bot nets. >> thank you very much. they have to be hundreds of thousands or millions of bot nets out there. one could say so many bot nets, so little time. so given that, what are your
11:38 pm
factors for priorityizing which ones to go off. >> well, operation clean slate, it was to forge alliances with the private sector and government and pry ioritize the most egregious bot nets out there. working with government, dhs, friends in the intelligence community but also microsoft and private sector, and looking across the world and those bot nets that are seemingly causing the most economic dang or other means or potentially physical damage and then prioritizing those and developing a campaign about going after not only the infrastructure but the actors behind that bot net or those bot nets. >> assistant attorney general caldwell. this predates but but i've had some concerns based on my time in the department of justice as
11:39 pm
a u.s. attorney about the way in which the department has responded to the bot net threat. i think you're doing a -- a good job but there's a cultural divide sometimes between the criminal prosecutors and the civil attorneys for the government. these cases take down the bot net tend to be civil cases in nature. i've worried a bit about the extent to which it's extinctive on the part of federal prosecutors to think it's a lesser task and pursuit than what they are doing and whether that gets in the way of adequately pursuing the civil remedies that shut these bot nets down. the second is that when the core flood take down took place it appears to me that that was kind of an ad hawk group of very
11:40 pm
talented people that were brought together to address themselves to core flood and succeed in taking it down. once the operation was complete, they went back to their individual ausa slots and offices around the country and the effort was disbursed. i think the bot net problem is a continuing one. as soon as you strip out some of the worst offenders, others pop up into the next most wanted bot net slot and i'm interested first, in how you're making sure that this is prioritized despite the civil nature of the legal proceeding that cures the bot net problem that strips it out of the system and what you've done to try to establish a permanent lasting institutional presence for taking down bot nets without having to reassemble teams each time a bot net rears its head as a target.
11:41 pm
>> thank you, senator. i think the game over zeus operation is a perfect example of how we see this going forward although i wouldn't dispute that there are some criminal assistant u.s. attorneys who may think the civil attorneys have a less exciting job. we don't see it that way. the civil component as you indicated is a very critical part of this. but there are different ways to approach bot nets. they are all different as you indicated earlier. in game over zeus we used a combination of civil and criminal authorities. i think that's, again, it isn't one size fits all but i think that's likely what we will continue to see in the future as you know, the leading perpetr e perpetrator of that particular bot net was actually indicted criminally and civil injunctions were obtained at the same time. it was very carefully coordinated. there's a lot of communication between the civil prosecutors who were handling the injunction
11:42 pm
paper work and the criminal -- it was all team. the civil is a very important tool. we expect to continue to use it. there are some holes in that tool. right now we're permitted to get a civil injunction against fraud and wire tapping. as you indicated in your opening remarks, bot nets are not always engaged in wire fraud. what we would like to see is an amendment to the statute to permit injunctions in other circumstances in which we see bot nets operating. on the issue of institution nonin knowledge, the computer/crime, is really the receptacle -- the section has a headquarters component and a lot of institutional knowledge about bot nets so that if one prosecutor leaves, the knowledge isn't going to leave. we coordinate regularly with the
11:43 pm
fbi. there's allot of coordination with the computer hacking in the u.s. attorney's office. there's a lot of knowledge about bot nets. >> in a nutshell you feel that that task has been adequately institutionalized in the department that there will be continuity and persistence rather than ad hawk efforts? >> yes. and i think that although we weren't as prominent, there were at laefteast a half dozen bot n take downs. there's definitely a priority and a lot of focus. there's a lot of knowledge between the prosecutors and they will keep coming and we will keep attacking them. >> my impression was that some of those were sporadic and ad
11:44 pm
hawk take downs that appeared in individual u.s. attorney's offices and not necessarily consistent with a continuing, lasting persistent presence stripping down one bot net after another. i'm glad that you've gotten where you've gotten. >> senator graham. i think he's the elliottness of botness. >> no matter what kind of behavior you're dealing with you think to deter it may people think if i do this i will get caught. if i get caught bad things will happen. what do you think the deterrence is like right now? >> well, i think it's significant now. i have seen it in years past maybe not so where they did travel and if he thelt thfelt t some actions with impuimpunity. i find today we're causing impact because we see them talking among each other in concern about traveling now
11:45 pm
which is a way of containing some of the threats that we see with individuals today. >> what nation states do we need to worry about in terms of involvement in activity. >> in asia. >> are they reliable partnerships with the governments. >> we're opening dialogue on that front. i think you will find with some of our russian counterparts in-li in law enforcement are a bit more agreeable. we're working toward improving relationships. >> if it's possible maybe by the end of the year could you provide a committee with a list of countries that you think are good partners and a list of countries that you think have been resistant? >> yeah. easily done. based on our activities or working with the countries we do work with. >> once we identify them maybe
11:46 pm
we can change their behavior. was this a problem five years ago? how long ago has this been a problem? >> this has existed for years. this is the tip of the iceberg. i think as we get more sophisticated in being able to identify -- >> with a made us aware of it today more than say five years ago. just the consequences? >> think consequences. victim reporting. major losses occurring to private industry. >> is there any end to this? how far can these people go? >> this he will keep on going. as you can see each bot will evolve. we take actors off. malware will change. we see a complete evolution because again, we're actually placing at least there's a price to pay for actually engaging in this activity now. >> are terrorist organizations involved in this? >> we track them very closely.
11:47 pm
i would say there's an interest but much further than that senator graham probably in a different setting we could give you a further briefing. >> ms. caldwell on the civi civil/criminal aspect of this, what would you like us to do to help. >> one is the one i already mentioned which is -- >> shut my phone off. >> changing the civil injunction ability so that we will have the ability to enjoin bot nets other than those who are engaged in wire fraud and tapping. he'd like to be able to could that. >> do we need increased p ed penalties. >> that's an interesting question senator. i think we've been seeing increased penalties being imposed by courts. >> statutorily, do we need to
11:48 pm
change any statutes to make this bite more? >> i will defer to ms. wallcald. >> i think the maximum sentences under most of the statutes are adequate. i don't think we need any kind of mandatory minimums because we've seen judges imposing sentences ash the seven, eight, nine year range. there are a couple of other things we'd like to see. right now there's no law that explicitly covers the sale or transfer of a bot net already in existence. we've seen evidence that folks sell bot nets. they rent them out. one thing which is a little bit off point but still relevant to bot nets is that right now there's no law that prohibits the overseas sale of u.s. credit cards unless there's been in action taken in the united
11:49 pm
states or unless money is being transferred from over seas to the united states. we see credit card situations where people have millions of credit cards from many financial institutions without setting foot in the united states. >> so you could buy credit card information from overseas and basically be immune. >> correct unless you transfer proceeds of your scheme back to the united states. >> okay. one last question here. when they basically seize your computer or hijack your computer, the information contained therein, they actually make a random demand. how does that work? >> under crypt oe locker what happened. i'm not a technical expert but you would be on your computer and you would see something flash up on your screen that said all of your fires are encrypted and would remain that way until you paid a random
11:50 pm
within x amount of hours. if you didn't pay your files will deleted. >> payment made from bit coin. if not, your box would be encrypted. >> do people pay? >> they do. >> what's the biggest pay out you've seen? >> well, crypt oe locker and crypt oe wall now. there's a major concern to pay probably in excess of $10,000. they are focused now on major concerns. businesses, entities. >> is that extortion under our law? >> yes. >> so you don't need to change that statute. >> the problem is that though as with a lot of these cyber crimes, most of the people who are engaged in this activity are overseas. >> thank you. let me recognize the senator who's been very interested and dedicated to this topic and whose home state is very energized on this topic because the delaware national guard
11:51 pm
actually has a cyber wing that is very activity they are one of the best in the country. >> thank you very much. thank you senator whitehouse and graham. given the persistency of this threat, given its trajectory, it's scope and scale and the resource that's you're having to deploy in order to take down these bot nets and in order to break up the criminal gangs, is it acceptable or possible to deal with this threat with a federal law enforcement alone or do we need partnership. how are we doing it with inegg raeting federal, state, local. second, what kind of capabilities do businesses, does the private sector and citizens have. what are we doing to help scale
11:52 pm
up that because resiliency of our country and our ability to respond to these threats as we all know much as it is with natural disasters or with terrorism threats requires a everybody engaged response that engages our private sector and engages entrepreneurs and local and federal law enforcement. >> thank you senator. the state and local question. we have cyber task forces throughout each of our offices. there are 56 out there. each office is engaging at the local level to bring state and local authorities aboard whether investigator or net defenders from the organizations they represent. they difficult because of resources being somewhat constrained at the state and local level and fully understanding and appreciating what the threat is. it's focused on internet fraud whether defrauding the elderly or real estate fraud and working with state or lobal having them
11:53 pm
bringing an investigating officer aboard. we work with them to foster their skills or develop their skills in this area working cyber crime. it has worked well in some of the initial offices in utah and down in dallas with some of the local department of dallas police department. we've got a long way to go for them to fully appreciate what the threats are today facing the public or citizen that's are responsible for it. on the private sector, we've worked far and wide and somewhat limited in force. we've now focused on those priority sectors, if you will that are most threatened. we've found time and time again the most threat ebbed and vulnerable with those small to medium business size owners who they may one person responsible for internet, or cyber security information and the like. how to we target that band and bring them aboard. we actually had representatives from the health care industry in our headquarters working through
11:54 pm
what that situation would look like with health care because we've focused on finance, energy, telecommunications and the like over the past two years. how do we broaden that effort out. >> implicitly with reference to health care, we now have an online treasure trove of data to go after. >> i think any online data base is vulnerable. some obviously have more security protections than others. as you indicated, the health care databases have a lot of sensitive and personal information. we've seen in some of the bot th nets that we've seen over the years some of the victims were hospitals with game over zeua. that's an area we're very concerned about. >> both of our states have
11:55 pm
blessed to have squaudrons in te national guard which takes advantage of the fact that we have a fairly sophisticated financial sever rvice community. as a result there's a lot of fairly capable and sophisticated online, security, and financial services security professions who can then also serve in a law enforcement and national security first responder context through the national guard. what lessons do you think we could learn from that partnership and collaboration in our two home states and how could that lead us to a scale up of the needed federal work force to respond to and deal with these law enforcement challenges . there's a treasure trove of skill in the guard. we hosted a cyber exercise in 2014. we brought personnel from around the field at least 50 from our
11:56 pm
local cyber task forces that corresponded with the local task forces that were there. the deputy director had a meeting with cyber command, osd and joint staff about how we better correlate or collaborate in this space. tomorrow we're actually having another meeting with the combatant commanders at my level to put it in place. as you know admiral rogers held a meeting at nsa recently to talk through what that looks like in working with cyber command, the guard forces and reserve forces, what skills they bring. how that they assist the fbi in our operations and also training opportunities that we can leverage with one another. >> terrific. thank you for your testimony. i look forward to hearing more about the development of this partnership. i want to thank you for your leadership in this area senator whitehouse. >> well, i will let you two go. this is such a fascinating and
11:57 pm
emerging area of criminal law enforcement. i appreciate very much the work you do. i want you to pass onto attorney general holder my congratulations for the pursuit particularly exemplified by the zeus take down. those are very welcomed steps i. looking forward to seeing more criminal prosecution of foreign cyber hackers. i think the opening gambet was really terrific. congratulations to you both. thank you for your good work. we release you and call the next panel forward.
11:58 pm
>> thank you so much for being here. this is a terrific private sector panel on this issue. i've grateful that you've all joins. i will make the formal introductions with everyone. our first witness will be richard boscovich which is the assistant attorney general counsel on microsofts digital crimes unit. a position where he developed the legal strategies used in the take downs and disruptions of several bot nets including the citadel, zeus and zeus bot net.
11:59 pm
he directed the district's computer hacking and intellectual property unit. well, we will hear next from the vice president of global affairs and cyber security policy at semantec corporation which is our leading cyber security providers in this country she's responsible for their global strategy including privacy. before she joined them in 2010 she was the director for critical infrastructure cyber security in microsofts trust worthing computing group and before that she served in numerous positions in the department of home land security including the deputy director of the national cyber security division and the uscert j we will hear from dr. paul vixy who
12:00 am
is the chief executive officer of a commercial internet security company. he previously served as the chief technology officer for above net; an internet service provider and the founder and ceo of maps. the first anti-spam company and the author of several internet standards related to dns and was the detainer of bnid. he was recently inducted into the internet hall of fame. finally, we will hear from greg spitzel who is the executive director, founder and president of the online trust alliance. the online trust alliance encourages best practices to help protect consumer trust and he works to protect the vitality and innovation of the internet. prior to founding the online trust alliance, he worked at microsoft again, the fraternity
12:01 am
where he drove development of anti-spam, anti-fishing, anti-malwire and privacy technology. he was appointed to the fcc's communication, security, reliability and inoperability counsel. he's also a member of infra guard. a partnership between the fbi and private sector. let me begin with richard. we're so glad you're here. thank you.roach to fighting and detecting bot nets. we also thank you for your leadership in focusing attention to this complicated and important topic. botnets are groups of computers remotely by hackers without knowledge or consent enabling criminals to steal information and identity, disrupt networks and distribute software and
12:02 am
spam. i'll describe how microsoft fights botnets, disrupting the tools and tle carefully designs these operations to protect consumers. to understand the devastating impact of botnets, we can look at how they affect one victim. consider in use power. a chef in the united ding come do found a warning she could not access the files unless she paid a ransom within 72 hours. all of her photos, financial accounting information and other data were permanently deleted. all this was caused by a botnet. she later told the reporter, if someone had robbed my house, it would have been easier. indeed, botnets conduct the digital equivalent of home invasions but on a massive scale. botnet operators quietly hijack web cams to spy on people in their homes and then sell photos
12:03 am
of the victims on the black market. they use malicious software to log every key stroke that they enter on the cuters including credit card numbers, social security numbers, work documents and personal e-mails. they send deceptive messages to appear as though they're sent by banks to convince people to disclose the account information. microsoft has long partnered with other companies and global law enforcement agencies to battle malicious cyber criminals such as those who operate botnets. we do not and cannot fight botnets alone. as the title of the hearing suggests it requires efforts of both the private and the public sector. we routinely work with other companies and des midwestic and law enforcement agencies to dismantle botnets. our joint efforts dpon strait that partnerships are highly effective as combatting cyber crime. problems as complicated of botnets cannot be addressed
12:04 am
without partnerships. microsoft's philosophy is simple. we aim for their wallets. cyber criminals operate botnets to make money. we disrupt botnets underlying the profit of the attacks. microsoft draws on our deep technical and legal expertise to develop carefully planned and executed operations that disrupt botnets pursuit to court approved proceedings. in general terms, microsoft asked for permission to destroy the botnets breaks the connection between the botnets and the computers. traffic generated by infected computers is either disabled or routed to domains controlled by microsoft where the ip addresses of the victims identified. privacy's a fundamental value. when we execute an operation we are required to work within the bounds of the court order. we never have access to e-mail or other continent of victim communications from infected
12:05 am
computers. microsoft receives the addresses used by the infected computers to identify the victims. we give domestic ip addresses to providers in the united states to alert customers directly. we give the rest of computer emergency response teams commonly referred to as serts in country is a then mote if ied of the infections and offered assistance in cleaning the computers. in summary, to the course of an anti-botnet operations, microsoft works to protect millions of people and the computers against malicious siper criminals and led to the disruption of trust on the internet. cyber criminals continue to evolve. they keep developing more sophisticated tools to proprofit from the chaos that they themselves create. we remain firmly committed to working with other companies and law enforcement to disrupt botnets and make the internet
12:06 am
more trusted and secure environment for everyone. thank you for your time, senator, and i'm happy to answer any question you may have. >> ms. mcguire? >> chairman whitehouse, thank you for the opportunity to testify today. i'm especially pleased to be here with you again to focus attention on bot nets and cyber crime and how industry and government are working together to address the serious issues. as the largest security software company in the world, symantec protects information business botnets are the foundation of the ecosystem and as was discussed earlier, the uses for malicious botnets are only limited by the imagination of the criminal bot masters. these can range as you mentioned from distributed denial of service attacks to bitcoin mining to distribution of malware and spam. bot masters also rent out their botnets as well as use them for stealing passwords, credit card data, intellectual property or
12:07 am
other confidential information then sold to other criminals. until now, virtually all botnets have been networks of infected laptops and desktop computers. however, in the past few years, we have seen botnets made up of mobile devices and we fully expect that the coming internet of things will bring us with it a future of thing bots ranging from appliances to home router to video recorders and who knows what else? taking down a botnet is technically complex and requires a high level ofl expertise. law enforcement and the private sector working together have made significant progress in the past several years. the work to bring down the zero access botnet, one of the largest botnets in history at 1.9 million infected devices is a good example of how coordination can yield results. zero access was designed for click fraud and bitcoin mining with an estimated economic impact of dens of millions of
12:08 am
dollars lost per year and the electricity alone to run that botnet cost as much as $560,000 per day. one year ago today, we began to sink holes infections which quickly resulted in the detachment of more than half a million bots. this meant that the bots could no longer receive any commands and were effectively unavailable to the bot master for updating or installing new revenue generation malware. another significant win came last month with the major operation against the financial fraud botnet game over zeus as several witnesses testified to. as part of this effort, we worked in a broader coalition to provide technical insights into the operation and impacts of this botnet. as a result, authorities were able to seize a large portion of the criminals' infrastructure. in our view, the approach used in the game over zeus operation is most successful to date and
12:09 am
should be a model for the future. a group of more than 30 international organizations from law enforcement, the security industry, academia, researchers and isps all cooperated to collectively disrupt this botnet. this successful model of public and private cooperation should be repeated in the future. while zero access and game over zeus were successes for law enforcement and industry, there are undoubtedly more criminal rings operating today. unfortunately, there are just not enough resources. as you said, so many botnets, so little time. as criminals, migrate online, law enforcement needs more skilled personnel dedicated to fighting cyber crime. and we take numerous steps to assist crickets of botnets and cyber crime and aid law enforcement around the world. in the interest of time, i will mention victim, a new online assistance program that we unveiled in april with the national white collar crime
12:10 am
center. this site helps cyber crime victims understand the investigation process. and in particular, i'd like to thank you again, senator whitehouse. it's already helped many victims of cyber crime. in combatting botnets, cooperation is key and the private sector we need to know that we can work with disrupt botnets without undue legal barriba barriers. i'm not talking about a blank check but consistent with protections and parameters, we need to be able to share cyber threat information and coordinate efforts quickly. information sharing legislation will go a long way to do this. but it also must address the considerable privacy concerns and must include a civilian agency lead and data min mization requirements. last, the law governing cyber crime should be modernized. in the u.s. we need to amend
12:11 am
laws such as the electronics communication privacy about and others written before the modern internet and e-commerce was invisioned. in addition, mutual legal assistance treaties and process that allows governments to cooperate take far too long to address the realtime nature. as this subcommittee knows so well, we still face significant challenges in the efforts to take down bot nets and dismantle cyber crime networks. while there remains much work to be done, we have made progress. we're committed to improving online security across the globe and we'll continue to work collaborateively with the customers, governments and industries on the ways to do so. thank you again for the opportunity to testify today and i'll be happy to answer any questions you may have. >> thank you and thank you for symantec's leadership in this area. i'm going to briefly recess the
12:12 am
hearing. we have a vote that started 15 minutes ago and i have 15 minutes to get there and vote so i have zero time and with any luck i vote, vote on the next vote and then come right back and then we'll be able to proceed uninterrupted fashion so please just relax in place. probably going to be five to ten minutes and we'll resume. thank you.
12:13 am
fines paid which are important. >> all right. the hearing will come back to order. i appreciate everybody's courtesy while i got those two votes done. and now dr. vixie we welcome your testimony. we welcome you here. please proceed. >> thank you, mr. chairman. thank you for inviting me to testify on the subject of botnets. i am speaking today in my personal capacity based on a long history of building and securing internet infrastructure, including domain name infrastructure and here at the behest of the messaging malware and mobile anti-abuse working group moog nonprofit internet association whose international membership is actively working to improve the internet security condition worldwide. let me start by reviewing some successful botnet takedowns in
12:14 am
recent years since they may prove instructive. they're successes, after all. in 2008, the worm was discovered and by mid-2009, over 10 million infected computers participated in the botnet, the largest to that time. i had a hands on keyboard role in operating the data collection and measurement infrastructure for the takedown team. in which competing commercial security companies most of which were members cooperated with each other to mitigate this global threat. then in 2011, the u.s. department of justice led operation ghost click, in which a criminal gang in estonia was arrested, charged with wire fraud and conspiracy.
12:15 am
while shutting off the criminal infrastructure the victims depended on. my employer was the court-appointed receiver for the criminals interknecht connectivity and resources. i personally prepared, installed and operated the replacement servers necessary for that takedown. in each of these examples, we seed an ad hoc public/private partnership in which trust was established and sensety information, including strategic planning was shared without any contractual framework. these takedowns were so-called handshake deals. where personal not government heft was the glue that made it work. in each case the trust relationships we had performed were key enable ers in which intent, competent and merit were
12:16 am
the guiding lights. the important cannot be overemphasized. we have found that when a single company or agency or a nation goes it alone in a takedown action, the result has usually been catastrophe. the ad hoc nature of these public/private partnerships may seem like cause for concern, but i hope you'll consider the following. first, this is how the internet was built and how the internet works. second, this is how criminals work with other criminals. we would not get far by trying to solve these fast evolving global problems with top-down control or through government directives and rules. as you yourself pointed out, a botnet is literally a network of robo robots, whereby "robot" we mean a computer that's been captured and made to run software neither
12:17 am
provided by the maker or authorized or installed by its owner. it has conflict -- and so forth. the only hard and fast requirement for any of this software is interoperability, meaning it merely has to work. the cost of the internet's spectacular growth d. sorry -- the cost is much of the software we run was not adequately tested. the challenge for the internet is perhaps there's more assurance that an ul listed toaster will not burn our house, whereas some of our devices are insulated from becoming a tool of online criminals. these are consumer devices in a competitive and fast-moving market. time to market is often the distance between success and bankruptcy. this is a very brief overview. i'd like to leave you with the
12:18 am
following thoughts. number one, the internet is the greatest invention in recorded history, in my opinion, in terms of its positive impact on human health, freedom and on every national economy. the interned is borderless, yet carries more of the world's commerce every year. number four, takedown of criminal infrastructure, including botnets must be approached not just as reactions after the fact, but also as prevention by attacking underlying causes. number five, the u.s. department of justice is the envy of the world in its approach to takeouts and its awareness of the technical and social
12:19 am
subtleties involved. when i give a special nod to ncfta, a public/private partnership with strong fbi ties located in pittsburgh. number six and finally, no legislative or regulatory relief is sought in these remarks. the manner in which government and industry have coordinated and cooperated on botnet takedown efforts have underscored the effectiveness of public/private partnerships as currently practiced in this field. mr. chairman, this concludes my oral statement. thank you for this opportunity to speak before you, and i would be happy to answer your questions. >> thank you very much. finally. before i my apologies for the mispronunciation earlier. and let me say without objection, the complete statements will be made a part of the record. i appreciate the abbreviated version that allows the testimony to proceed expeditiously at the hearing.
12:20 am
>> thank you very much. >> i would also thank you for your leadership and focus and attention to this important topic. my name is craig spiezle. i'm with the online trust alliance. ota is a global nonprofit to enhance online trust, and promoting the vitality of the internet. botnets pose a significant risk to governments and businesses. increasingly bots are -- ransom wear, driving identity theft, takeovers and holding users and their data hostage. it's important to recognize that fighting bots is not a domestic issue. criminals are leverages the jurisdictional limitation of the law infersment and often
12:21 am
operation with impunity. left uninvaded they are a significant threat to our infrastructure and our economy. in my brief testimony, i will touch on five keir areas -- status of industry efforts, a holistic anti-bot strategy, the role and issues of takedowns, the role of data sharing, and the importance of privacy safeguards. efforts to combat botnets have been arranged by a -- an example is the fcc's security and interoperability council which last year developed an antibotnet code of conduct for isps. this is a first is it eman example of the industry's ability to self-regulate. in parallel, the ota has fa silled several efforts bringing in leaders around the world. we have published specific remediation and notification best practices and anti-bot guidelines to hosts, the initial adoption of these practices are now paying dividends, helping to
12:22 am
protect user data and their privacy. it requires a global strategy, as outlined here in exhibit a, ota advocates a five-prong framework -- prevention, detection, notification, remediation and recovery. and within each one of these, we've outlined a partial list of tactics, which underscores the increased need for collaboration, research and data sharing between both of public and private sectors. in the bottom of this, it also points out the role of consumers and education. we need to help them update their device, and also look to how we can education them on the risks of botnets. as outlined, law enforcement is an important part as well. it serves three major functions -- during this period of timing cybercriminals and bringing criminals to justice, but law enforcement cannot act on this alone. a trusted partnership is
12:23 am
required, and progress has been made with industry leaders, including microsoft, symantec and others. but they need to be taking into considering -- one, the risk of collateral damage, two the errors in identifying targets for mitigation, and three, the importance of respecting users' privacy. for example, when taking down a web hoster because they have a handful of bad customers there's a risk of class real damage. at the same time, service providers cannot hide behind bad actors and they must take steps to prevent the harboring of such criminals. it's also important to note they all run similar risks. web browser can misidentify phishing sites and av solutions can mistakenly block downloads. recognizing these possibilities, risk assessments procedures must be preestablished with processes in place to remediate any unintended impact. data sharing has a promise of
12:24 am
being one of the most impactful tools, yet must be reciprocal. collaboration is required in all sectors. in this void the privacy larned scape is also rapidly evolving. prior sill must be the foundation of all data-sharing practices. i believe these can be easily addressed. when data is used and collected for threat detection, conversely, industry needs assurances that law enforcement will not use any data for any other purposes. as this exhibit outlines, every stakeholder has a responsibility. progress has been made, but a renewed commitment is required. as the enter net of things, mobile and the smart grid and wearable technologies become prevalent, we need to look
12:25 am
beyond the desk stop. in summary it's important to recognize there's not absolute defense, both the public and private sectors need to increase in data sharing and adopting privacy enhanced practices, while finding new approaches to work with law enforcement and expand international cooperation. working together, we can make the internet more trust worthy, secure and resilient. thank you, and i look forward to your questions. >> thank you very much, mr. spiezle, and thank you all. i'll ask a question of each of you for are the record, which means if you could provide a written response, an that is, as you've heard, senator grave and i are working on legislation in this area. as you heard from the first panel, the department of justice and the federal bureau of investigation have a number of suggestions, i'd like to ask you for provide your comments, if any to the suggestions, and add
12:26 am
any suggestions you may have of your own so kell with build a good legislative report to support other proposal going forward. i'm also interested in your thoughts, as a lay person, it strikes me that botnets are becoming more dangerous, that the capabilities are growing. my first exposure to botnets was when they were spam propagators, and then they became distributed to vectors to swamp individual web sites. but now they seem, so many additional capabilities have been listed in this hearing right up to and including having people spy you on through your web cam on your computer while you're going about your business, and tracking your keystrokes individually so that they can know your passwords and have access to your accounts, is
12:27 am
my lay reading that botnets are becoming more dangerous or learning the -- the criminals behind them are learning more dangerous capabilities a correct one? what do you think the rate is of that change, if i'm credit? mr. boscovich. >> i think the observation is correct. we're seeing an ever-changing sophistication on the part of cybercriminals. i would like to point out to one particular case that demonstrates how creative cyber-criminals are. in this particular case, if my memory serves me correctly, one of our industry partners was symantec on that case, a case in which the bot-herders had developed code which took a step backwards. one of the reasons they did that is because technical counter measures that had been put in place by being google and other company toss detect click fraud relied upon a certain type of algorithm.
12:28 am
the criminals understood that, they had to reintroduce a human element into their code. in essence what they did is they've changed their code, and they took one step back to take two steps forward in such a way that the user would be using his or her mouse. while they were clicking or looking for something, the reality was that they were in fact clicking on ads that the user was not even seeing what was appears better hind the screen that they were looking at, introducing a certain variation that was consistent with human behavior. so the observation that criminals are in fact always learning, always changing is an accurate one. i think this example really underscores how sophisticated these cybercriminals are. >> in both dimensions, as you view it as an infrastructure for criminal activity, it has to be maintained, groomed and they're getting more sophisticated at that, they are also getting more sophisticated they top of
12:29 am
criminal payload, if you will, that they deliver through that botnet as well. is that correct, ms. mcgwire? >> that's correct. i think your summary is quite accurate, that they have begun to progress and being more sophisticated. for example the type of infrastructure they are using now, moving from simple command-and-control servers to peer-to-peer networks. is the type of morphing that we are seeing. all avenues that -- at their availability. >> dr. viksa, you mentioned that in the face of this threat prevention was something that we should be looking at, and you used the phrase in your testimony what did you mean by
12:30 am
underlying causes. and what would you recommend? >> i think that the reason that botnets have gotten stronger is because our computers have gotten stronger. our network has also gotten stronger, so it's -- it is possible to get a lot more work down with each computer you, as compared to five years before that. if they want to start kicking the dependencies under botnets, we would need to somehow address the lack of testing. i mentioned in my written remarks this last week there was an -- i think it was a we're leg
12:31 am
light babb that has a terrible security flaw in it. i understand how that can happen. i've tried to get products out my door myself. it's difficult to say, yeah, let's hold it back a couple weeks while we try to attack it every which way. what you want to do is get it out there, put it in customers' hands and so forth. that is not going to work. we have got to find a way to test the software the way the bad guys do. we have to do the so-called red team test, where you try to break in. if you can, you get some sort of internal prize. we have to find a way to encourage that. >> so with the electricity with the new technology, people trying to get stuff out the door that caught fire if you left it on too long, as you pointed out with respect to the toaster underwriters laboratory was established to make sure
12:32 am
appliances met the standards, have not been really a prominent concern for americans for quite some time. and how would the see it as bick overseen? >> when you're doing this kind of testing, you're looking for combinations and perm stations of how you set the knobs the problem is that my laptop has more complexity of that time than all the computers on the planet had 30 years ago. and so coming up with a direct analog of the way ul tests our electric devices i think is misleading. i think standards in software development, standards in
12:33 am
testing, possibly get away from some of the older programming languages that almost encourage the time of dwellings we see. >> how would those proposals be best administered? through a rating that gets -- you can advertise you have on your product if you have been through it voluntary. >> in that set, it's perfect. it's voluntary. if you want to sell a device that's not listed, it's up to you. if fewer people want to buy it because it doesn't have that stamp, that's up to them. so i think there is room for someone to step into that role, but it's not a government role. >> gotcha. mr. spiezle, you felt there were
12:34 am
steps that consumers, individuals could take to better acquaint themselves with this threat and better protect themselves from this threat. what would your recommendations be this seems like a high-tech type of crime. if you're an innocent user of your own computer, doing what you're good at what sensible steps should i be -- to defend themselves? >> let me clarify. my point is we all have a shared responsibility, not unlike driving a car. we have a responsibility for driving safely. we need to make sure our car is updated. we have new tires on it. that was the point there. i think realistically, though, education has a limited effect here. these attacks are social engineering, exploits are very
12:35 am
hard to identify, they're drive-by. just by the very nature of going to a trusted website that someone types in a url, there can be -- it's a shared responsibility, but i don't put the faith that that's going to be the solution, but it should be one part. i do want to address one point from your original question about the sophisticate, and clearly in the technical aspect, clearly the bot masters are more and more sophisticated, but also they're more sophisticated in leveraging by data. data mining capable, so that adds to the profitability, their ability to use that data, and then in the underground economy makes it very profitable, so they become very nimble. they've become good marketers in a sense and they're learning from business. those are some of the challenges we must address. >> two final questions. the first is that many of the perpetrators in this area are
12:36 am
foreigners. and we're obviously going to work with the department of justice and the federal bureau of investigation to make shirr that they have the capabilities that they need to be as strong as they can be in terms of pursuing foreign criminals. but none of you are voefd as laws enforcement officials. you are involved as representing private companies and organizations. in that sense when you bring a civil action to close down a botnet, you may have civil remedies against individuals overseas that are different than what a prosecutor would be looking at. are there recommendations that you would have as to how we could strengthen overseas enforcement against the individuals and organizations that are running the botnets that could supplement just the technical capability to take down the botnets?
12:37 am
sirchlts well, senator, i think that as a private company, as you mentioned, our main sphere of evidence is only flus the civil process. once we get default judgments, there is a procedure in which we could seek to, for example, localize a u.s. judgment overseas, but it's a complex and lengthy process. in all of the action that is we take with our partners, we then go ahead and always refer the cases and evidence that are the basis of the information that we arrive at through the civil process to law enforcement. the pros has been around for quite some time. and i believe some representatives were here earlier today. these are procedures that have been around for a very long time. there's always been a question. i could only talk about my experiences when i was at
12:38 am
justice, that it does take time to turn this information request around. >> the coordinating country of two minds as to how much they want to that's why the partnership is important. what we try to focus on is the immediate cessation of the arm to the people on the internet. to sever that communication, to stop the harm, and to notify the victims, and then try to do something to remediate and clean their computers, working through isps, that's the job that we believe we can do and do very well with industry partners, and with the government as well. in terms of the criminal side, i would have to defer to my former colleagues at the justice department. >> i was thinking more of the civil side and pursuing personal liability and accountabilities foreigners who have done harm to your companies, ms. mcguire,
12:39 am
that game over seuss, modifications to that particular malware already being used by a new criminal gang or perhaps the original perpetrator who fled to eastern europe to launch new criminal activity. this is the kind of thing where if we had a faster, speedier inlet process we could potential address these kids of issues, as oppose to do what i have been told by law enforcement partners can take anywhere from six months to never. so those are the enhancements that we need in order to go -- >> again you're comfortable relying on the law enforcement process and at this point don't have any interest in pursuing
12:40 am
civil liability against private companies against foreign individuals as a deterrent or to recover for the damages that they have caused you? >> most of our activity is on the shares of information and notification to our international both law enforcement and cert partners. so they can take the action in their jurisdictions. what have each of you seen in terms of the coordination that has been your experience between the private sector and between law enforcement? it seems to me fourth quarter what i hear, to be in a pretty good place right now. there are a number of mechanisms through which -- the f-guide in particular, but other agencies cooperate with the private sector, exchange information, i
12:41 am
would like to hear from each of you how close we are to what you think we should be doing. start from this side. >> i then we've had great success, but i think there's a whole other layer we are not getting today. more data shares, and certain we're seat process with the sfi-sec. we get data from them. the reason this is important is it's connecting the dot. not always just from the isps and other sectors. we need to open the dialogue, but also to remove the burden of whether it's antitrust, the concerns of privacy, or the concerns of regulatory authorities coming after them. how do we open that dialogue even domestically so we can get a higher level of telemetry from other data sources. >> dr. vixie? >> i mentioned in my remarks
12:42 am
that the internet is borderless, you mentioned in this question that the criminals are borderless. i think that firmly points to the fact that our solutions have to be borderless. i will say ncfta in pittsburgh has a huge international outreach program. i go in there and do training of the international law enforcement community every summer, but they do it year round. it's a huge thing. a lot of the other country where cybercrime is originating right now don't have the capability to train their people logly. so i think i really want to encourage more outreach of that kind, i don't have an answer for civil lawsuits.
12:43 am
i know that it can be used if you're trying to get at somebody and you don't know who they are, you can obvious get a court order using a john doe, but it's me messy and it hasn't produced consistent results. >> we've seen significant improvements frankly over the last two year and our ability to work with them, their responsesives in to the information we are sharing with them, about just the process that they are using. as i think i mentioned earlier, game over zueus is the best camp
12:44 am
so far. they reached out to over 30,000 organizations, brought all of them together so that collectively we could be ready and work the takedown once the junctions and appropriate actions were taken. >> borderless response, to dr. vixie's comments. >> borderless response, exactly. we have a model as a proof point for the future. >> mr. boskovich. >> i think deconflict shun is one of the dee dee tails. in cases such as sit adebt, more recently a perfect example of public priefer all while
12:45 am
stopping the harm immediately, working to help the victims, yet statement allowing the criminal side to do what they do best. where we deconflict law enforcement to achieve the greatest impact possible in these takedowns. >> thank you very much. a final good worked to microsoft, just lawyer to lawyer, you are among the earl yes companies, probably all three of you were involvement. and just as a law, to real those early complaints and see the statutory grounds based on very
12:46 am
modern complicated electronic privacy statutes, and at the same time doctrines of english common law that were transmitted to american when we formed or country dating back to the 100s, side by side, it was a -- it must have been a lot of fun, terrific legal work, and it had a wonderful effect, so i compliment you on it. i assume that you would want, you know -- we're legislators, so we think about legislating everybody just like the story about the hammer. every solution that a hammer sees requires a nail. and so we tend to think in terms of new and amended statutes. but i gather you would want to make sure we left room for traditional common-law remedy toss maintain themselves as a part of the repertoire here and allow the natural development that the common law permits.
12:47 am
is that fair to say? >> absolutely, senator. one of the beauties behind the common law system is its ability to adapt constantly to new facts. what we are looking at here is a threat which is constantly adapting. something that is always moving, always morphing. the beauty behind common law and trespass to chattels, tortious interference, these are theories we can use over and over again and are part of a system that at its core, is able to adapt quickly. so yes, i would love to see the standard common law principles remain intact as we tackle these. now, having said that, it doesn't mean there's not always room for improvement in both present statutes and potential even new statutes. we would gladly take a look at any type of amendment and/or proposed legislation that congress and yourself may have, and give our comments so that you could have the best insight possibility from us, at least.
12:48 am
>> certainly when they first came up upon trespass on chattels, that certainly has been a lasting doctrine. let me thank all of the witnesses for this hearing. i appreciate very much your input. i look forward to the responses to the question for the record. i think that we have a very strong bipartisan group of senators who are very interested in this sure and are looking forward to coming up with legislation that can pass and help you in your important pursuits to protect our economy, your clients and your companies from the kind of attacks that are we are seeing largely from overseas. so god speed to you all in your work. thank you very much for what you have done and for your testimony today, and we will keep the record open for one week for anybody who cares to add anything to the record, and for
12:49 am
the response toss come in. with that, we are adjourned. sc-
12:50 am
12:51 am
>> sent to governors and events that can also be found in the blue binder in front of all of you. they include the agenda, the background information, the updates on state and federal actions under this committee's jurisdiction and materials of our speakers. to my right is stephen parker, legislative director of the education and workforce committee. if you have any question, need any assistance in this area, see stephen. today we are honored to be joined by u.s. senator lamar alexander, country music television's leadership folks, and students and staff from the academies of nashville. before we proceed to our agenda, governor sandoval all and all --
12:52 am
and i want to update our agenda the receptors commit in the 140 days between the winter meeting at our session today. first on the wia set-aside. we aimed to restore the 15% of workforce investment act, or wia set-aside. we use that momentum of the recent partial increase of the set-aside to lobby for the full restoration. in june, nga released a report illustrating how states are using wia set-aside funding to revise and expand critical state workforce initiatives. due to all of our hard efforts, governors were able to secure a major victory on the set-aside. we are pleased to report that a bipartisan, wia reauthorization bill passed the senate two weeks ago at and on wednesday of this
12:53 am
week, that same bill passed the house and is awaiting the president's signature. for the first time in more than 15 years, it appears that the most significant federal workforce law will be updated. updated to give governors more flexibility to meet the training needs of their states workforce. after months of negotiations, senator alexander, in -- and a bipartisan group of senate and house leaders, crafted a bill that includes reaffirmation of the governors 15% set aside, preserves the governor's authority over state workforce boards, and includes the nga common measures proposal. which consolidates more than 100 outdated indicators in four core measures. this is an important bill for governors. governors are mentioned more than 160 times throughout the legislation and nga has been working with congress on
12:54 am
reauthorization for a decade. senator alexander, we applaud your leadership to give governors more tools to promote our job creation and spur economic growth and get our people back to work. and let's give the senator a round of applause. [applause] >> now on career and technical education, with congress expected reauthorization of the perkins career and technical education act, the committee developed principles on cge that aimed to preserve state led, state designation career and technical education innovation while ensuring governors play a more central role in perkins. now at this point i want to turn the floor over to vice chair governor brian sandoval to show some the additional committee accomplishments. >> thank you for your leadership on this committee. it's an honor to serve with you and my fellow governors on this
12:55 am
very important committee. first i want to talk about early childhood education. in march the committee began developing principle to ensure a strong state role as congress considers early education proposals. our principles proposed the governors take the lead role in any state, federal partnership and that any state, federal program recognized the current significant state investments in early education. next, the vice president workforce review. as we just heard in the opening session, the vice president has been conducting a comprehensive review of federal workforce programs. in april the nga submitted a memorandum to the vice president with a recommendation -- eight recommendations to provide states with more tools to meet the needs of the state economies. we are continuing to work with the white house to develop a strategy for implementation of the recommendations. finally, see acg. the committee took steps to fix the college access college grant
12:56 am
program to bolster state led efforts to ensure college access and affordability. governor beshear, ghent, it was a pleasure to work with you this year. it's clear the committee's progress that we should continue to work together i think there been a great amount of success as i think this is an example of bipartisanship and will be very meaningful for the people of america and of our state. thank you, sir. >> thank you, governor. today said alexander will discuss recent congressional action on education and workforce and a governors can work with congress on these issues. after his presentation will open the floor for discussion between governors and the senator. then we'll have the country music television discussing their partnership with national schools and how career and technical education is proving to be a source of workers high skill jobs in central tennessee. and, finally, we'll see presentations from students
12:57 am
showing off recent cte projects. now i'd like to call upon our host, governor haslam, to welcome our first guest. >> thank you all and we're glad you are in session. i can think of very few people who is more about to address this committee and senator alexander. to begin with is a former nga chair, and the last time the nga was here 30 years ago, then governor alexander hosted a meeting, and he's gone on to a few other things, but it helps to know a little bit of where he came from. his mother was a teacher. his father was in elementary school principal. he became governor but after that he was secretary of education for the united states. he was the university of tennessee college president, so he has seen education and its issues from a variety of standpoints besides just being ranking member of the senate health, education, labor and
12:58 am
pensions committee which primarily deals with education issues in washington. but most importantly to us isn't this. you all should be jealous of tennessee for a lot of reasons in my opinion, but one of those is that where the u.s. senator who used to be a governor. ask him looking i guess governor -- governor chafee serve with lamar in the senate and governor branstad serve as governor together with lamar as well. so you know of what i speak. but it is an incredible advantage for tennessee to have somebody in washington used to be a governor. we talk all the time about being washington understands issues from our viewpoint. senator alexander literally does that. he has stood up on the floor of us in on more than one occasion and said your vote on this would be different if you were sitting in a state capital having to let this. because of that we are very grateful. it's my honor to introduce our former governor, now our senator, and my friend, lamar
12:59 am
alexander. [applause] >> thank you, bill. this is a treat for me. and i'll keep in mind what our friend said, he gets in trouble only when he opens his mouth. so i will try to be brief. i know i can learn a lot more from the governors and they can for me. you can see why we are so happy in tennessee to bill haslam as governor. he's tackling some real terrific issues. issues i never could have imagined dealing with, and he's gotten that done and everybody still likes them. it's a tremendous come he's a tremendous leader. he's right, terry and i were both there in 1984, and kerry has been back since. he's visited us in east tennessee and he came down -- the elderly brothers grew up in iowa, shadow as i remember and
1:00 am
then they moved to knoxville where bill is from. bill was mayor. i got mad at each other and they finally reunited about 15 years ago when i invited kerry to come down. we saw that reunion. good to see terri, and, of course, i sort with lance, others here whom i know. if you've been here in 1984, many perl would have welcomed you. and some of you won't remember many perl. but she was my neighbor. she lived next door. people ran for governor, they live next door to many perl. it had the price tag on a. this is the story she would've told. schuett said i was riding in an elevator minding my own business and this tourist from kentucky gets on and he looks me up and down and says has anybody ever told you, you look a lot like mini pearl? she said, i said yes, sir, they have. and he looked me u


disc Borrow a DVD of this show
info Stream Only

Uploaded by TV Archive on